The first step in your workflow will be Jira. This will be the trigger step.
You have two options for the way Jira can trigger workflows within InsightConnect.
Monitor Issues:
New Issues:
It sounds like these would be new incidents created in Jira, so the New Issues should work.
In the trigger you will either use a specific project if all your phishing tickets go into their own project that would work, or you need to use a JQL statement. If you input the project ID into the action it is looking for the letters at the end. In my screenshot it would be looking for KD
If you need to use a JQL statement that would look something like this:
project = “Project Name” AND summary ~ “[PHISH]”
You can build this out in Jira where you build a new filter to test with and make sure it works. That is the same statement you would use in the JQL portion of the trigger.
The trigger creates output that will be available to your steps later in the workflow.
Without seeing what an actual ticket looks like you will have to look at the output from that step and see where in the output is the URL you are wanting to pass to VirusTotal. I would assume it is going to be part of the body and need to be extracted out.
Choose an action step, type virus total, and within the list of options available in the Virus Total Plugin is an option called Submit URL. It allows you to pass a single URL as input to then be looked up. You pass data from the Trigger step to the VirusTotal Step by clicking the blue + icon as seen in my screenshot, and then selecting the appropriate variable from the previous steps in your workflow.
To make a decision based on the response from Virus Total you will choose a Decision Step. You name your decision something like “Malicious Yes or No”, then you have two paths as default options, but you can add additional if you need. I would name the two paths Yes and No or Malicious, Not Malicious, something that makes sense to you.
The bottom of the step asks you to choose a default path. The default path does not matter at all. On the next page it will ask you to define the logic for the opposite of whatever you chose to be default. If you choose Yes as the default path, it will always go down the yes path unless the logic defined by you makes it a no.
Use this as a guide for formatting the language to define what is malicious or not: Format Query Language | InsightConnect Documentation
You will pick a variable and then use something from that doc to make it work for you.
If you wanted to take the total malicious votes, you would pick that variable and use the greater than and your number.
Next you will have two paths presented to you, the path that should escalate to malicious you will choose another Jira step. Depending how your escalations happen it will either be an assign step, transition, edit, I am not really sure how that works for you, but look at the list of available actions and decide. Output from your trigger step contains a variable that you will pass to this new Jira step. It is called issue.id. That is the variable that will allow you to make changes to your ticket created at the start of the workflow.
Hopefully that helps. If you get stuck anywhere feel free to reach back out.
